Computers blindly trust USB devices connected to them. There’s no pop-up to confirm a device was plugged in, and no validation of whether the device should be trusted. This lets you do some nefarious things with a simple USB microcontroller.
We’ve recently seen two examples of this: the USBdriveby and the Teensyterpreter. Both devices are based on the Teensy development board. When connected to a computer, they act as a Human Interface Device to emulate a keyboard and mouse.
The USBdriveby targets OS X. When connected, it changes the DNS server settings to a custom IP, to allow for DNS spoofing of the victim’s machine. This is possible without a password through the OS X System Preferences, but it requires emulating both keystrokes and clicks. AppleScript is used to position the window in a known location, then the buttons can be reliably clicked by code running on the Teensy. After modifying DNS, a reverse shell is opened using netcat. This allows for remote code execution on the machine.
The Teensyterpreter gives a reverse shell on Windows machines. It runs command prompt as administrator, then enters a one-liner to fire up the reverse shell using Powershell. The process happens in under a minute, and works on all Windows versions newer than XP.
With a $20 microcontroller board you can quickly fire up remote shells for… “support purposes”. We’d like to see the two projects merge into a single codebase that supports both operating systems. Bonus points if you can do it on our Trinket Pro. Video demos of both projects after the break.
Continue reading “Plug Into USB, Get a Reverse Shell”
Nowadays, you can get into ham radio on the cheap. A handheld radio can be had for less than $30, and licensing is cheap or free depending on where you live. However, like most hobbies, you tend to invest in better kit over time.
[Günther] just finished up building this portable ham station to meet his own requirements. It runs off 230 VAC, or a backup 12 V car battery for emergency purposes. The Yaesu FT897d transceiver can communicate on HF + 6m, 2m, and 70 cm bands.
This transceiver can be controlled using a
With the parts chosen, [Günther] picked up a standard 5 U 19″ rack, which is typically used for audio gear. This case has the advantage of being durable, portable, and makes it easy to add shelves and drawers. With an automotive fuse block for power distribution and some power supplies, the portable rig is a fully self-contained HAM station.
If you travel often, use your mobile devices a lot, or run questionable ROMs on your phone, you likely have an external USB battery pack. These handy devices let you give a phone, tablet, or USB powered air humidifier (yes, those exist) some extra juice.
[Pedro]’s PeriUSBoost is a DIY phone charging solution. It’s a switching regulator that can boost battery voltages up to the 5 volt USB standard. This is accomplished using the LTC3426, a DC/DC converter with a built in switching element. The IC is a tiny SOT-23 package, and requires a few external passives work.
One interesting detail of USB charging is the resistor configuration on the USB data lines. These tell the device how much current can be drawn from the charger. For this device, the resistors are chosen to set the charge current to 0.5 A.
While a 0.5 A charge current isn’t exactly fast, it does allow for charging off AA batteries. [Pedro]’s testing resulted in a fully charged phone off of two AA batteries, but they did get a bit toasty while powering the device. It might not be the best device to stick in your pocket, but it gets the job done.
This schematic is all you need to build your own voltage converter. [Lutz] needed a converter that could boost 5 V to 30 V to power a string of LEDs. The solution was to use low cost ATtiny85 and some passive components to implement a boost converter.
This circuit follows the classic boost converter topology, using the ATtiny85 to control the switch. The 10 ohm resistor is fed back into the microcontroller’s ADC input, allowing it to sense the output voltage. By measuring the output voltage and adjusting the duty cycle accordingly, the circuit can regulate to a specified voltage setpoint.
A potentiometer is used to change the brightness of the LEDs. The software reads the potentiometer’s output voltage and adjusts the voltage output of the circuit accordingly. Higher voltages result in brighter LEDs.
Of course, there’s many other ways to implement a boost converter. Most practical designs will use a chip designed for this specific purpose. However, if you’re interested in rolling your own, the source and LTSpice simulation files are available.
While the ubiquitous TI-83 still runs off an ancient Zilog Z80 processor, the newer TI-Nspire series of graphing calculators uses modern ARM devices. [Codinghobbit] managed to get Debian Linux running on a TI-Nspire calculator, and has written a guide explaining how it’s done.
The process uses Ndless, a jailbreak which allows code to run at a low level on the device. Ndless also includes a full SDK, emulator, and debugger for developing apps. In this case, Ndless is used to load the Linux kernel.
The root filesystem is built on a PC using debootstrap and the QEMU ARM emulator. This allows you to install whatever packages are needed via apt, before transitioning to the calculator itself.
With the root filesystem on a USB flash drive, Ndless runs the Linux loader, which starts the kernel, mounts the root filesystem, and boots in to a Debian system in about two minutes. As the video after the break demonstrates, this leaves you with a shell on the calculator. We’re not exactly sure what to do with Linux on a graphing calculator, but it is a neat demonstration.
Continue reading “Running Debian on a Graphing Calculator”
As an adventure in computer history, [Len] built up a clock. The Z80 Micro TV Clock brings together a homebrew computer and three Micro TVs into a rather large timepiece.
The computer powering the clock runs the CP/M operating system. This OS was eventually released as open source software, and a variety of homebrew computer projects have implemented it. This clock is based on an existing breadboard CP/M machine, which includes schematics and software.
With an OS running, [Len] got a text editor and C compiler working. Now custom software could be written for the device. Software was written to interact with a Maxim DS12885 Real Time Clock, which keeps the time, and to output the time to the display controllers.
The Micro TVs in this build are Sony Watchman displays featuring a 2″ CRT. The devices had no video input port, so [Len] ripped them open and started poking around. The NTSC signal was found by probing the board and looking for the right waveform.
To drive the TVs from CP/M, a custom video driver was built. This uses three relatively modern ATmega328P microcontrollers and the arduino-tvout library. All of these components are brought together on a stand made from wood and copper tubing, making it a functional as a desk top clock
Who doesn’t like integrated circuit porn? After pulling a PCD8544 display controller from an old Nokia phone, [whitequark] disrobed it and took the first public die shot.
As we’ve seen in the past, removing a die from its packaging can be a challenge. It typically involves nasty things like boiling acid. Like many display controllers, the PCD8544 isn’t fully encapsulated in a package. Instead, it is epoxied to a glass substrate.
Removing the glass proved to be difficult. [whitequark] tried a hot plate, a hot air gun, sulphuric acid, and sodium hydroxide with no success. Then the heat was turned up using MAPP gas, which burned the epoxy away.
After some cleaning with isopropanol, the die was ready for its photoshoot. This was done using a standard 30 mm macro lens. Photo processing was done in darktable, an open source photography tool and RAW processor.
[whitequark] plans to take closer photos in the future using more powerful magnification. These high resolution die photos can be useful for a number of things, including finding fake chips and reverse engineering retro hardware.